Is security awareness training effective in the financial industry as employees work from home?
It is often said that the weakest link in the safety chain is the human operator, be it an employee or even a customer.
To that end, banks, credit unions, investment firms, and insurance companies have embraced “security awareness training” over the past twelve years or so with the goal of bringing their employees into the fold of cyber hygiene, to get them to be part of the solution, not the problem. In fact, nearly half of business leaders (47%) say “human error” is responsible for the breaches they have experienced, according to research by Shred-It.
In other words, financial companies conducted these awareness programs, using internal IT security personnel and external consultants, with the aim of ensuring that their employees would follow basic security practices such as using strong passwords, which they change regularly; adopt multi-factor authentication, if necessary; not share their work computer or other devices with colleagues or friends; and not use any external devices (such as their own personal mobile device or a USB key that they collect).
“It’s no surprise that security awareness training is growing in popularity, but I would bet that the unchanged or declining effectiveness of this training is due to the type of training used,” said Daniel Trauner, senior director of security at Axonius. “Everyone wants a cheap, quick-to-implement, and unique solution to the perennial problem of human behavior.”
Much of this training comes in the form of phishing simulations or other exercises designed to trick employees, which “are both simple to implement and easy to measure,” Trauner added.
The rules can vary considerably, even within the financial sector, depending on the activities of the institution and the role of the employees themselves. However, as financial fraud has grown rapidly over the past two years (growing even faster than it had been), getting financial employees to follow the rules has been a challenge, especially in a large organization where people often work remotely. According to Trend Micro, ransomware attacks against banks increased by 1,318% last year, while cases of basic fraud increased by 238%.
Over the past two years, with so many employees working remotely full-time or part-time and the pressures brought on by the pandemic, employees have arguably become sloppy and overwhelmed. After two years of recurring lockdowns, mask-wearing and general stress, Tessian’s research found that 56% of IT security managers think employees have bad cybersecurity habits. It indicates that 1 in 3 employees believe they may engage in riskier behavior when working remotely. This, in turn, has led to unintentional – as opposed to malicious – insider risk.
According to recent research published by Code42, the financial industry does better than most industries in raising security awareness and developing insider risk programs – with more than 2 in 5 (41%) of financial firms dispensing employee data security training every week, and 19% more do it every month.
Yet the same study found that more than three-quarters (78%) of finance survey respondents believe data security training for employees should happen more often, and a full half of finance executives (50% ) think their organizations should “completely overhaul” how they do data security training.